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ABSTRACT 

A  new  proof  is  given  that  every  property  can  be  expressed  as  a  conjunction  of  safety  and 
liveness  properties.  The  proof  is  in  terms  of  first-order  predicate  logic. 
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1.  Introduction 

-  Two  classes  of  properties  arc  of  particular  interest  when  considering  programs:  safety  properties 
and  liveness  properties.  Informally,  a  safety  property  stipulates  thit  "bad  things"  do  not  happen  dur¬ 
ing  execution  of  a  program  and  a  liveness  property  stipulates  that  "good  things"'  do  happen  (eventu¬ 
ally)  [2],  Distinguishing  between  safety  and  liveness  properties  is  useful  because  knowing  whether  a 
property  is  safety  or  liveness  helps  when  deciding  how  to  prove  that  the  property  holds  for  a  program. 

In  [1],  formal  definitions  of  safety  and  liveness  are  given  and  it  is  proved  that  every  property 
can  be  expressed  as  the  conjunction  of  a  safety  property  and  a  liveness  property.  The  formal 
definitions  of  safety  and  liveness  are  given  in  terms  of  first-order  predicate  logic,  but  the  proof  that 
every  property  can  be  decomposed  into  safety  and  liveness  is  not — it  uses  topology.  The  purpose  of 
this  paper  is  to  give  a  proof  of  this  theorem  using  only  first-order  predicate  logic. 

2.  Specifying  Properties 

A  program  state  is  a  mapping  from  variables  to  values.  An  execution  of  a  concurrent  program 
can  be  viewed  as  an  infinite  sequence  of  program  states 

c  =  So  Si  ■■■> 

which  we  call  a  history.  In  a  history,  s0  is  an  initial  state  of  the  program  and  each  subsequent  state 
results  from  executing  a  single  atomic  action  in  the  preceding  state.  (For  a  terminating  execution,  an 
infinite  sequence  is  obtained  by  repeating  the  final  state.)  A  property  is  a  set  of  such  sequences. 

One  way  to  specify  a  property  is  by  using  first-order  predicate  logic.  For  a  state  s,  define  s.v  to 
be  the  value  of  variable  v  in  that  state.  A  formula  of  first-order  predicate  logic  where  s  is  the  only  free 
variable  defines  a  set  of  states.  For  example, 

(Vi:  1  <,i<N:  s.a [i]<s.a(i+l]) 

specifies  the  set  of  states  in  which  the  elements  of  array  a  [1:1V]  are  sorted.  Usually  "s."  is  implicit 
and  therefore  left  out  of  such  a  formula,  resulting  in  the  more  familiar  use  of  first-order  predicate 
logic  as  an  assertion  language. 

A  set  of  sequences  of  states — a  property — can  also  be  defined  using  first-order  predicate  logic. 
To  facilitate  such  specifications,  for  any  sequence  a  =  s0  s  i ...  define  for  0£i: 

o[i]  a  Si. 

o[..i]  a  s05i  Si-i  -  The  empty  sequence  if  i=0. 
lol  a  the  length  of  o  (©  if  o  is  infinite). 

A  formula  of  first-order  predicate  logic  in  which  o  is  the  only  free  variable  defines  the  set  of 
sequences  that  satisfy  the  formula  and  therefore  specifies  a  property.  For  example, 

(Vi:  0 <,i:  o[/]v=0) 

specifies  the  property  in  which  the  value  of  v  remains  0  throughout  execution. 


We  write  a N=P  if  ae  S®  is  in  the  property  specified  by  P.  Thus, 
ai=P  =  Paa. 
a*P  =  -,Pg. 

3.  Safety  and  Liveness 

According  to  [1],  a  property  P  is  a  safety  property  provided 

Safety:  (Vo:  o*P  =>  (3/:  0<r:  (Vp:  p€S“:  of.  <]p ¥=/>))),  (3.1) 

where  S  is  the  set  of  program  states,  S*  the  set  of  finite  sequences  of  states,  the  set  of  infinite 
sequences  of  states,  and  juxtaposition  is  used  to  denote  catenation  of  sequences.  A  property  P  is  a 
liveness  property  provided 

Liveness:  (Va:  aeS*:  (3p:  PeS“:  apNP)).  (3.2) 

Given  a  property  P,  we  are  interested  in  defining  properties  Safe  (P)  and  Live  (P)  such  that 

•  Safe  (P)  is  a  safety  property, 

•  Live  (P)  is  a  liveness  property,  and 

•  P  =  Safe  (P)a  Live  (P). 

Observe  that  if 

Sqfe(P)  =  PvMP 
Live  (P)  =  P  v  —,MP 


Safe ( P )  a  Live  (P)  =  (P  v  MP)  a  (P  v  ^Mp) 

=  (P  a  P)  v  (P  A  —.A//,)  v  ( MP  a P)  v  (Mp  a 
=  P 

Hence,  we  have  only  to  look  for  an  MP  that  makes  P  v  MP  (i.e.  Safe(P))  a  safety  property  and 
P  v  ~,MP  (i.e.  Live(P))  a  liveness  property. 

It  turns  out  that  using 

Mp.  (Vi:  0£i:  (3p:  pe  S“:  o[../']pi=P)) 

suffices.  First,  we  show  formally  that  Safe(P)  satisfies  definition  (3.1)  of  safety.  The  proof  that  fol¬ 
lows  is  a  sequence  of  first-order  predicate  logic  formulas  with  explanations  interspersed  (and  delim¬ 
ited  by  «  and  »)  of  how  each  formula  is  derived  from  its  predecessor. 

Choose  any  oe  S“: 
o*Safe(P) 


’  t  ‘r  “  i-  ,  $  ’l1  ’  j'  i  •  i  4'  j'i  I  ■  ;  1  *1  rl  #  1  ■  *  : :  *  *  * 


«by  definition  of  Safe  ( P)» 

=  aHP  v  (Vi:  0<z:  (3p:  peS03:  o[..z]pl=P))) 

«by  definition  of  l£» 

=  -i(P  v  (Vz:  0£z:  (3p:  peS03:  o[..z]p^P)))g 
«by  substitution* 

=  ^(Pv(Vz:  0<z:  (3p:  peS03:  a[..t]pNP))) 

«by  De  Morgan’s  Laws* 

=  -,PA(3i:  0<z:  (Vp:  peS“:  o[..z]pM=P)) 

«A  a  B  =>  B» 

=  (3 z:  OSz:  (Vp:  peS03:  o(..z]p#=P)) 

•because  (Vx::  /l)  =  (Vx::  AA(Vy::  A*))* 

=  (3/ :  OSz:  (Vp:  peS“:  o[..t ]pM=/>  a  (Vy:  ye  S“:  c[..z]y*P))) 

«because  true  aP  =  P  and  (o[..i]P)[..i]  =  o[..i]» 

=  (3 i:  0<z:  (Vp:  peS03:  o[..z]p*P  a(z=z)  a  (Vy.  y eS“:  (o[..z]p)[..t]y!*P))) 

«by  substitution* 

=  (3z:  0£z:  (Vp:  pe  S03:  <r(..z]p*P  a  (*=z')f  a  (Vy:  ye  5“:  (o[..i]p)[..*]y*P)?)) 

«by  3-Generalization* 

=>  (3z :  0£z:  (Vp:  PeS10:  <J[..z]p*P  a  (3*:  *=z:  (Vy:  ye  S03:  (a[..z']p)[..*]y*P)))) 

«by  Range  Widening* 

=*  (3z:  0<iz:  (Vp:  peS“:  o[..z]p*P  a  (3*:  OS*:  (Vy:  ye  S“:  (o[..i  ]p)[..zt  ]yM=  />)))) 

«by  De  Morgan’s  Law* 

=  (3z:  0<z:  (Vp:  PeS03:  a[..z]p*P  a -,(V*:  OS*:  0Y  ye  S":  (o[..z]p)[..*]y*=P)))) 

«by  definition  oft** 

=  (3z:  0 <z:  (Vp:  peS":  o[..z]pl*P  a  o[..t ]pM=(Vzk:  0<*:  (3y:  ye  S“:  <*[..*  ]yl=P)))) 
•because  atM  a  a t*B  =  at*(A  vfi)» 

=  (3z:  OSz:  (Vp:  peS“:  a[..z]pt*(P  v  (V/fc:  OS/fc:  (3y:  ye  S03:  a[..*]yl=P))))) 

•by  definition  of  Safe  (P)» 

=  (Bi:  0 Si:  (Vp:  PeS03:  o[..z']pt*S<ife(P))) 

It  is  not  surprising  that  Safe(P)  is  a  safety  property.  If  ofcSafe{P)  then,  by  definition,  ol *MP.  How¬ 
ever,  this  means  there  exists  an  z  such  that 
(Vp:  pe  S03:  o[..z]pt*P). 

We  could  consider  prefix  o[..»]  to  be  a  "bad  thing”.  Thus,  o  violates  a  safety  property  whenever 
afcSafe(P). 

We  now  show  formally  that  Live  ( P )  satisfies  definition  (3.2)  of  liveness. 

(Va:  ae  5*:  true ) 

«since  true  =  A  v  —A  » 

=  (Va:  aeS*:  (3p:  peS03:  apt=P)v-^(3P:  pe  S03:  aphP)) 

•renaming  bound  variable  P  to  y* 

=  (Va:  aeS*:  (3p:  pe  5":  apt=P)  v -n(3y:  Y«=  5W:  ay!=P)) 

•since  P  is  not  free  in  (3y.  y eS“:  ayNP)* 

=  (Va:  ae  5*:  (3P:  PeS03:  apt=Pv-,(3y:  y e  S03:  ayt=P))) 

•by  De  Morgan’s  Law* 

=  (Va:  aeS*:  (3p:  PeS03:  apt=Pv(Vy:  ye  S03:  ayt*P))) 


«since  true  a  A  =  A* 

=  (Va:  ae  5*:  (3(3:  peS“:  aphP  v(lal  =  lal  A(Vy:  ye  S'0:  ay #P)))) 

«by  substitution,  since  (aP)[..  I  al  ]=a* 

=  (Va:  ae  5’:  (3p:  peS“:  ap^P  v  ((/ =  I otl )‘lot)  A(Vy.  ye  S'0:  (ap)[..j]y*P)‘ial))) 

«by  3-Generalization* 

=>  (Va:  ae  S':  (3{3:  pe  Sw:  ap*=Pv(3i:  i=  lai:  (Vy.  ye  Sw:  (ap>[..i]y^P)))) 

«by  Range  Widening* 

=>  (Va:  ae  5*:  (3p:  PeS“:  a^Pv(3i:  0 <<:  (Vy  yeSw:  (ap)[../]yM=/»)») 

«by  De  Morgan’s  Law* 

=  (Va:  ae  S’:  (3p:  p€  S“:  api=P  v^(Vi:  0<i:  (3y.  ye  S“:  (ap)[..i]yNp)))) 

«by  definition  of  apt=/4  * 

=  (Va:  aeS':  (3p:  PeS“:  apNP  v  api=^(Vt:  0 <<:  (By:  ye  S'0:  a[../]yNP)))) 

«because  apt=A  v  apt=B  =  api=(/4  vB)» 

=  (Va:  ae  £*:  (3p:  peS“:  ap (=(Pv^(V<:  0 St:  (3y  ye  S'0:  o[..i]y^P)))) 

«by  definition  of  Live  (P)» 

=  (Va:  aeS*:  Op:  pe5“:  apt =Live(P))) 

«by  Liveness  definition  (3.2)* 

=  Live  (P)  is  liveness. 

An  informal  justification  that  Live(P)  is  liveness  is  the  following.  If  active  (P)  then,  by  definition, 
at=MP.  From,  a*=MP,  we  conclude  that  it  always  remains  possible  for  some  "good  thing"  (i.e.  p  in 
MP)  to  happen.  This  is  the  defining  characteristic  of  liveness,  so  a  violates  a  liveness  property  when¬ 
ever  oM=  Live  (P). 


Acknowledgment 

David  Gries  made  numerous  suggestions — some  of  which  I  even  adopted — about  presenting  the  proofs. 

References 

[1]  Alpem,  B.,  and  F.B.  Schneider.  Defining  liveness.  Information  Processing  Letters  21  (Oct  1985),  181-185. 

(2)  Lamport,  L.  Proving  the  correctness  of  multiprocess  programs.  IEEE  Trans,  on  Software  Engineering  SE-3 ,  2 
(March  1977),  125-143. 


